Moodle: reflected xss risk in blog search
Description
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.0.0-beta, < 4.0.6 | 4.0.6 |
moodle/moodlePackagist | >= 4.1.0-beta, < 4.1.1 | 4.1.1 |
Affected products
3- osv-coords2 versions
>= 4.0.0, < 4.0.6+ 1 more
- (no CPE)range: >= 4.0.0, < 4.0.6
- (no CPE)range: >= 4.0.0-beta, < 4.0.6
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied data in blog search allows cross-site scripting (XSS)."
Attack vector
A remote attacker crafts a specially crafted link containing malicious HTML or JavaScript in the blog search parameter. When a victim follows this link, the unsanitized search string is rendered in the page's navigation bar, causing the attacker's script to execute in the victim's browser in the context of the vulnerable Moodle site. [CWE-79][ref_id=1]
Affected code
The vulnerability is in `blog/lib.php` within the `blog_get_headers()` function. The `$search` string is passed directly to `get_string('searchterm', 'blog', $search)` without sanitization, allowing user-controlled input to be rendered unsafely in the page's navigation bar. [patch_id=6651205]
What the fix does
The patch wraps the `$search` variable with the `s()` function, which is Moodle's standard output-escaping function for HTML contexts. Before the fix, the user-supplied search string was passed raw to `get_string()`, allowing embedded HTML and script tags to be rendered unsanitized. After the fix, the search term is properly escaped before being placed in the navigation bar, preventing XSS. [patch_id=6651205]
Preconditions
- authThe victim must be logged into a Moodle site that has blog search enabled and the victim must have the 'moodle/blog:search' capability in the site context.
- inputThe attacker must trick the victim into clicking a crafted URL containing a malicious search parameter.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-grmj-gpwm-98wwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23922ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.